CVE-2026-3723: SQL Injection in code-projects Simple Flight Ticket Booking System
CVE-2026-3723 is a SQL Injection vulnerability found in version 1. 0 of the code-projects Simple Flight Ticket Booking System, specifically in the /Admindelete. php file via the flightno parameter. This flaw allows an unauthenticated remote attacker to manipulate SQL queries, potentially leading to unauthorized data access or modification. The vulnerability has a CVSS 4. 0 base score of 6. 9, indicating medium severity, with no user interaction or privileges required for exploitation. Although no known exploits are currently observed in the wild, a public exploit has been released, increasing the risk of attacks. Organizations using this booking system should prioritize patching or mitigating this issue to prevent data breaches or service disruptions. The threat primarily affects entities relying on this specific software version, with higher risk in countries where this product is deployed in aviation or travel sectors.
AI Analysis
Technical Summary
CVE-2026-3723 identifies a SQL Injection vulnerability in the Simple Flight Ticket Booking System version 1.0 developed by code-projects. The vulnerability resides in the /Admindelete.php file, where the flightno parameter is improperly sanitized, allowing attackers to inject malicious SQL code. This injection flaw enables remote attackers to manipulate backend database queries without authentication or user interaction, potentially leading to unauthorized data disclosure, data modification, or deletion. The vulnerability is exploitable over the network, increasing its risk profile. The CVSS 4.0 vector indicates no privileges or user interaction are required, with low complexity and partial impact on confidentiality, integrity, and availability. Although no active exploitation has been reported, the public availability of an exploit increases the likelihood of attacks. The lack of a vendor patch at the time of disclosure necessitates immediate mitigation efforts. This vulnerability is critical for organizations using this booking system, especially those handling sensitive flight and customer data, as exploitation could compromise operational integrity and customer trust.
Potential Impact
The SQL Injection vulnerability could allow attackers to access or manipulate sensitive flight booking data, including passenger information and flight schedules. This can lead to data breaches, unauthorized changes to bookings, or disruption of booking operations. The integrity of the booking system could be compromised, resulting in financial losses and reputational damage. Since the vulnerability requires no authentication and can be exploited remotely, the attack surface is broad, potentially affecting any organization using the affected software version globally. The availability of a public exploit increases the risk of automated attacks and widespread exploitation. In critical infrastructure or high-volume travel service providers, such an attack could disrupt services and impact customer safety and satisfaction. The medium severity rating reflects the balance between ease of exploitation and partial impact on system security properties.
Mitigation Recommendations
Organizations should immediately review and restrict access to the /Admindelete.php script, ideally limiting it to trusted administrative networks. Implement strict input validation and sanitization on the flightno parameter to prevent injection of malicious SQL code. Transition the codebase to use parameterized queries or prepared statements to eliminate SQL injection vectors. Monitor web application logs for suspicious activity targeting the flightno parameter or /Admindelete.php endpoint. If possible, apply any vendor patches or updates once released. Employ web application firewalls (WAFs) with rules designed to detect and block SQL injection attempts targeting this parameter. Conduct thorough security testing of the booking system to identify and remediate other potential injection points. Educate development teams on secure coding practices to prevent similar vulnerabilities in future releases.
Affected Countries
United States, India, United Kingdom, Germany, Australia, Canada, France, United Arab Emirates, Singapore, Japan
CVE-2026-3723: SQL Injection in code-projects Simple Flight Ticket Booking System
Description
CVE-2026-3723 is a SQL Injection vulnerability found in version 1. 0 of the code-projects Simple Flight Ticket Booking System, specifically in the /Admindelete. php file via the flightno parameter. This flaw allows an unauthenticated remote attacker to manipulate SQL queries, potentially leading to unauthorized data access or modification. The vulnerability has a CVSS 4. 0 base score of 6. 9, indicating medium severity, with no user interaction or privileges required for exploitation. Although no known exploits are currently observed in the wild, a public exploit has been released, increasing the risk of attacks. Organizations using this booking system should prioritize patching or mitigating this issue to prevent data breaches or service disruptions. The threat primarily affects entities relying on this specific software version, with higher risk in countries where this product is deployed in aviation or travel sectors.
AI-Powered Analysis
Technical Analysis
CVE-2026-3723 identifies a SQL Injection vulnerability in the Simple Flight Ticket Booking System version 1.0 developed by code-projects. The vulnerability resides in the /Admindelete.php file, where the flightno parameter is improperly sanitized, allowing attackers to inject malicious SQL code. This injection flaw enables remote attackers to manipulate backend database queries without authentication or user interaction, potentially leading to unauthorized data disclosure, data modification, or deletion. The vulnerability is exploitable over the network, increasing its risk profile. The CVSS 4.0 vector indicates no privileges or user interaction are required, with low complexity and partial impact on confidentiality, integrity, and availability. Although no active exploitation has been reported, the public availability of an exploit increases the likelihood of attacks. The lack of a vendor patch at the time of disclosure necessitates immediate mitigation efforts. This vulnerability is critical for organizations using this booking system, especially those handling sensitive flight and customer data, as exploitation could compromise operational integrity and customer trust.
Potential Impact
The SQL Injection vulnerability could allow attackers to access or manipulate sensitive flight booking data, including passenger information and flight schedules. This can lead to data breaches, unauthorized changes to bookings, or disruption of booking operations. The integrity of the booking system could be compromised, resulting in financial losses and reputational damage. Since the vulnerability requires no authentication and can be exploited remotely, the attack surface is broad, potentially affecting any organization using the affected software version globally. The availability of a public exploit increases the risk of automated attacks and widespread exploitation. In critical infrastructure or high-volume travel service providers, such an attack could disrupt services and impact customer safety and satisfaction. The medium severity rating reflects the balance between ease of exploitation and partial impact on system security properties.
Mitigation Recommendations
Organizations should immediately review and restrict access to the /Admindelete.php script, ideally limiting it to trusted administrative networks. Implement strict input validation and sanitization on the flightno parameter to prevent injection of malicious SQL code. Transition the codebase to use parameterized queries or prepared statements to eliminate SQL injection vectors. Monitor web application logs for suspicious activity targeting the flightno parameter or /Admindelete.php endpoint. If possible, apply any vendor patches or updates once released. Employ web application firewalls (WAFs) with rules designed to detect and block SQL injection attempts targeting this parameter. Conduct thorough security testing of the booking system to identify and remediate other potential injection points. Educate development teams on secure coding practices to prevent similar vulnerabilities in future releases.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-03-07T17:12:27.239Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69ad38dd2904315ca3862bf7
Added to database: 3/8/2026, 8:52:45 AM
Last enriched: 3/8/2026, 9:07:05 AM
Last updated: 3/8/2026, 4:14:12 PM
Views: 12
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.